@World - CBSNews.com
//
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.
The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.
Recommended read:
References :
- bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
- The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
- bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
- The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
- The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
- DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
- bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
- Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
- Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
- Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
- BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
- hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
- Risky Business Media: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
- Security | TechRepublic: The article discusses the charges against Chinese hackers for their role in a global cyberespionage campaign.
- techxplore.com: US indicts 12 Chinese nationals in hacking
- : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
- Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
- Blog: FieldEffect blog post about U.S. indicts 12 Chinese nationals for cyber espionage.
- blog.knowbe4.com: U.S. Justice Department Charges China’s Hackers-for-Hire Working IT Contractor i-Soon
- Talkback Resources: The article details the indictment of 12 Chinese individuals for hacking activities.
- Schneier on Security: The article discusses the indictment of Chinese hackers for their involvement in global hacking activities.
@www.fda.gov
//
The Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued warnings regarding a critical security flaw in Contec CMS8000 patient monitors. These monitors, manufactured by a Chinese company, contain a hidden backdoor that allows for unauthorized remote access. This backdoor enables the devices to connect to a hard-coded IP address located at a third-party university in China, potentially allowing the download and execution of unverified files. The vulnerability, tracked as CVE-2025-0626 and CVE-2025-0683, impacts all analyzed firmware versions of the device.
The discovered backdoor poses a significant risk to patient safety and data privacy. It allows malicious actors to modify device settings, execute arbitrary code, and alter displayed vital signs. Furthermore, patient data, including personal and health information, is being sent in plain text to the hardcoded IP address. This unauthorized exfiltration of sensitive information and the potential for device manipulation could lead to improper medical responses and endanger patient well-being. CISA has stated that the backdoor is unlikely to be a normal update mechanism, noting it lacks any integrity-checking or version tracking, making it difficult for hospitals to detect compromised devices.
Recommended read:
References :
- BleepingComputer: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.
- : CISA : CISA has an 11 page warning that a patient monitor known as Contec CMS8000 has an embedded backdoor with a hardcoded IP address which enables patient data spillage, or remote code execution (CISA puts forth a scenario where the device is altered to display inaccurate patient vital signs, which poses a serious risk to patient's safety).
- BleepingComputer: Backdoor found in two healthcare patient monitors, linked to IP in China
- www.bleepingcomputer.com: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.
- www.helpnetsecurity.com: Patient monitors with backdoor are sending info to China, CISA warns
- socradar.io: CISA Warns of Backdoor in Contec CMS8000 Patient Monitors
- The Hacker News: CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors
- cyberinsider.com: CISA issues a warning about a backdoor in Contec CMS8000 patient monitors, highlighting the risk of remote code execution and patient data exfiltration.
- Help Net Security: Patient monitors with backdoor are sending info to China, CISA warns.
- thecyberexpress.com: Critical Flaws in Contec CMS8000 Allow Remote Code Execution and Patient Data Theft
- CyberInsider: Contec Monitors Used in U.S. Hospitals Carry Chinese Backdoor
- securityaffairs.com: The U.S. CISA and the FDA warned of a hidden backdoor in Contec CMS8000 and Epsimed MN-120 patient monitors.
- : Information about the backdoor found in Contec patient monitors.
- securityonline.info: The Contec CMS8000 patient monitors are vulnerable to remote attacks.
- ciso2ciso.com: Backdoor in Chinese-made healthcare monitoring device leaks patient data – Source: www.csoonline.com
- securityboulevard.com: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
- www.csoonline.com: Contec CMS8000 patient monitors are found to have a hidden backdoor that transmits patient data to a hardcoded IP address and executes files remotely.
- Security Boulevard: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
- therecord.media: CyberScoop article about the vulnerabilities in the monitors.
- Pyrzout :vm:: Contec CMS8000 patient monitors contain a hidden backdoor – Source: securityaffairs.com
- ciso2ciso.com: Contec CMS8000 patient monitors contain a hidden backdoor – Source: securityaffairs.com
- securityboulevard.com: Healthcare Crisis Emerges: Cybersecurity Vulnerabilities in Patient Monitors Confirmed by FDA
- Vulnerability-Lookup: A new bundle, CISA Releases Fact Sheet Detailing Embedded Backdoor Function of Contec CMS8000 Firmware, has been published on Vulnerability-Lookup:
- securityonline.info: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert regarding the Contec CMS8000 patient monitors.
- securityonline.info: CISA Warns of Hidden Backdoor in Contec CMS8000 Patient Monitors
- www.cysecurity.news: The U.S. Food and Drug Administration (FDA) has issued a safety communication highlighting cybersecurity vulnerabilities in certain patient monitors manufactured by Contec and relabeled by Epsimed.
- ciso2ciso.com: This news alert brings light to a critical backdoor discovered in widely used healthcare patient monitors.
- ciso2ciso.com: Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
- Security Boulevard: CISA/FDA Warn: Chinese Patient Monitors Have BAD Bugs
- securityboulevard.com: CISA/FDA Warn: Chinese Patient Monitors Have BAD Bugs
- claroty.com: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated…
- www.heise.de: Medical surveillance monitor: Backdoor discovered in Contec CMS8000 Attackers can attack medical hardware from Contec. This can result in malicious code getting onto devices. There has been no security update to date.
- : Claroty : There was increased interest in healthcare industry's patient monitors after CISA warned on 31 January 2025 that . Claroty's Team82 actually previously investigated the firmware and reached the conclusion that it is most likely not a hidden backdoor, but instead an insecure/vulnerable design that introduces great risk to the patient monitor users and hospital networks. Their conclusion is mainly based on the fact that the vendor—and resellers who re-label and sell the monitor—list the IP address in their manuals and instruct users to configure the Central Management System (CMS) with this IP address within their internal networks. h/t: ; cc: Note: there's associated vulnerabilities: (CVSSv4: 7.7/v3.1: 7.5 high) Hidden Functionality vulnerability in Contec Health CMS8000 Patient Monitor (CVSSv4: 8.2 high/v3.1: 5.9 medium) Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Contec Health CMS8000 Patient Monitor
MalBot@malware.news
//
The US Treasury Department has sanctioned a Chinese cybersecurity firm, Sichuan Juxinhe Network Technology Co., and a Shanghai-based hacker, Yin Kecheng, for their involvement in significant cyberattacks. These attacks compromised sensitive systems at the Treasury Department and major US telecommunication companies and ISPs. Sichuan Juxinhe is linked to the Salt Typhoon hacking group, which has infiltrated numerous US telecom companies and ISPs intercepting sensitive data from high-value political officials and communication platforms. Yin Kecheng, connected to the Chinese Ministry of State Security (MSS), is associated with the recent breach of the Treasury's network, impacting systems involved in sanctions and foreign investment reviews.
The Treasury's systems, including those used by Secretary Janet Yellen, were accessed during the breach resulting in the theft of over 3,000 files. The stolen data included policy documents, organizational charts, and information on sanctions and foreign investment. The cyber activity has been attributed to the Salt Typhoon group, alongside a related group known as Silk Typhoon (formerly Hafnium), which exploited vulnerabilities in Microsoft Exchange Server and used compromised APIs. The Treasury Department stated that it will continue using its authority to hold accountable malicious actors that target American people and the US government.
Recommended read:
References :
- malware.news: US Sanctions Chinese firm behind sweeping Salt Typhoon telecom hacks
- The Hacker News: U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon
- BleepingComputer: US sanctions Chinese firm, hacker behind telecom and Treasury hacks
- ciso2ciso.com: US Sanctions Chinese Hacker & Firm for Treasury, Critical Infrastructure Breaches – Source: www.darkreading.com
- ciso2ciso.com: US sanctions Chinese hacker & firm for Treasury, critical infrastructure breaches
- : U.S. Treasury : Treasury's OFAC is sanctioning Yin Kecheng, a Shanghai-based cyber actor who was involved with the recent Department of the Treasury network compromise.
- ciso2ciso.com: U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon – Source:thehackernews.com
- www.bleepingcomputer.com: US sanctions Chinese firm, hacker behind telecom and Treasury hacks
- securityaffairs.com: U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon
- ciso2ciso.com: Treasury Levels Sanctions Tied to a Massive Hack of Telecom Companies and Breach of Its Own Network – Source: www.securityweek.com
- Pyrzout :vm:: Treasury Levels Sanctions Tied to a Massive Hack of Telecom Companies and Breach of Its Own Network – Source: www.securityweek.com
- ciso2ciso.com: The U.S. Treasury’s OFAC sanctioned a Chinese cybersecurity firm and a Shanghai cyber actor for ties to Salt Typhoon and a federal agency breach.
- www.tomshardware.com: News report on Chinese hackers infiltrating US Treasury Secretary's PC and gaining access to over 400 PCs.
- ciso2ciso.com: U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon
- www.nextgov.com: US Treasury Department sanctions imposed for Salt Typhoon's involvement.
- www.nextgov.com: The Treasury Department's sanctions follow a major hack targeting telecommunications companies and potentially impacting high-value political officials.
- Threats | CyberScoop: Treasury sanctions Chinese cybersecurity company, affiliate for Salt Typhoon hacks.
- cyberscoop.com: Treasury sanctions Chinese cybersecurity company, affiliate for Salt Typhoon hacks
- thecyberexpress.com: U.S. Treasury sanctions Salt Typhoon hackers
- www.csoonline.com: The US is hitting back against the threat group, dubbed Salt Typhoon by Microsoft, which is allegedly behind recent cyber attacks against American telecommunications providers, as part of a wider campaign against Chinese-based hacking.
- Security Affairs: The US Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned Chinese firm Sichuan Juxinhe Network Technology Co., LTD.
- Security Boulevard: U.S. Treasury Sanctions Chinese Individual, Company for Data Breaches
@therecord.media
//
The U.S. Department of Justice, working with the FBI, has successfully removed the PlugX malware from over 4,250 infected computers within the United States. This multi-month operation targeted the command and control infrastructure used by hackers linked to the People's Republic of China (PRC). PlugX, a remote access trojan (RAT), has been used by the group known as Mustang Panda, or Twill Typhoon, since 2014, to infiltrate systems and steal information from victims across the U.S., Europe, and Asia, as well as Chinese dissident groups. The Justice Department obtained court orders to authorize the operation and eliminate the malware, which is known for its capability to remotely control and extract information from compromised devices. This action aimed to disrupt the ability of state-sponsored cyber threat actors from further malicious activities on affected networks.
The removal of PlugX involved a self-delete command that was developed by French cybersecurity firm Sekoia. The FBI tested the method before deploying it. This command deleted the malware from infected computers without impacting their legitimate functions or collecting any further content. The operation was conducted in partnership with French law enforcement, which also identified a botnet of infected devices in its own investigation. This international cooperation highlights the ongoing efforts to counteract nation-state cyber threats and protect U.S. cybersecurity. The owners of the affected devices have been notified of the actions through their internet service providers.
Recommended read:
References :
- ciso2ciso.com: FBI Wraps Up Eradication Effort of Chinese ‘PlugX’ Malware – Source: www.darkreading.com
- Threats | CyberScoop: Law enforcement action deletes PlugX malware from thousands of machines
- The Hacker News: FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation
- therecord.media: The Record reports DOJ deletes China-linked PlugX malware.
- discuss.privacyguides.net: FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation
- securityonline.info: “PlugX” Malware Deleted from Thousands of Computers in Global Operation
- www.justice.gov: Justice.gov press release on international operation to delete PlugX malware.
- www.scworld.com: Widespread PlugX malware compromise eradicated in law enforcement operation
- securityaffairs.com: FBI deleted China-linked PlugX malware from over 4,200 US computers
- CyberInsider: FBI Neutralizes PlugX Malware on 4,200 Computers in the U.S.
- securityboulevard.com: Security Boulevard article on FBI Deletes PlugX Malware From Computers Infected by China Group
- securityonline.info: “PlugX” Malware Deleted from Thousands of Computers in Global Operation
- www.helpnetsecurity.com: FBI removed PlugX malware from U.S. computers
- The Verge: FBI hacked thousands of computers to make malware uninstall itself
- malware.news: PlugX malware deleted from thousands of systems by FBI
- Malwarebytes: Malwarebytes blog post on PlugX removal operation.
- www.bleepingcomputer.com: BleepingComputer reports on FBI wipes Chinese PlugX malware from over 4,000 US computers
- www.techmeme.com: The US says the FBI hacked ~4.2K devices in the US to delete PlugX, malware used by China-backed hackers since 2014, after obtaining warrants in August 2024 (Carly Page/TechCrunch)
- ciso2ciso.com: FBI Wraps Up Eradication Effort of Chinese ‘PlugX’ Malware – Source: www.darkreading.com
- cyberpress.org: Cyberpress.org article about 4,000+ PCs Infected by Chinese Hackers with PlugX Malware
@cyberscoop.com
//
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.
Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.
Recommended read:
References :
- cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
- The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
- Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
- techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
- www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
- Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
- cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
- securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
- CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
- Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
- Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
- Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
- Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
- PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
- ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
- ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
- securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
- securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
- BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
- industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
- securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
- Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
- SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
- Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
- cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
- cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
solomon.klappholz@futurenet.com (Solomon@Latest from ITPro
//
Cyber experts are raising serious concerns about operational technology (OT) security after the Volt Typhoon threat group went undetected within the US electric grid for almost a year. This prolonged compromise, lasting over 300 days, marks the first known infiltration of the US electric grid by the Voltzite subgroup, linked to the Chinese APT Volt Typhoon. The attackers targeted critical OT infrastructure data, underscoring the persistent and sophisticated cyber espionage efforts aimed at US infrastructure.
The security breach, discovered in November 2023, involved the Littleton Electric Light and Water Department (LELWD) in Massachusetts. Investigations revealed that Volt Typhoon likely gained access to LELWD's IT environment in February 2023. During the attack the Chinese hackers sought specific data related to operational technology operating procedures and spatial layout data relating to energy grid operations, The incident led to LELWD expediting the deployment of its OT security solutions.
Recommended read:
References :
- hackread.com: Chinese Volt Typhoon Hackers Infiltrated US Electric Utility for Nearly a Year
- PCMag UK security: Chinese Hackers Sat Undetected in Small Massachusetts Power Utility for Months
- www.itpro.com: Cybersecurity firm Dragos has revealed the Volt Typhoon threat group remained undetected in the US electric grid for nearly a year.
- www.scworld.com: US electric utility subjected to almost year-long Volt Typhoon compromise
- CyberInsider: Revealing the Volt Typhoon threat group's covert access to a Massachusetts electric utility network.
- bsky.app: Massachusetts Power Utility hacked by Chinese 'hackers' (cyber operators) for more than 300 days.
- : Volt Typhoon Accessed US OT Network for Nearly a Year
- Information Security Buzz: Volt Typhoon Found Inside Massachusetts Electric Utility for Nearly a Year
- Industrial Cyber: Dragos details the hacking of LELWD and the VOLTZITE group.
- Matthias Schulze: China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days
Andy Greenberg@Security Latest
//
The US Justice Department has charged 12 Chinese nationals, including government officials and alleged hackers, in connection with a broad cyberespionage campaign. The individuals are accused of participating in a decade-long wave of cyberattacks around the globe, including a breach of the US Treasury Department. The charges highlight the existence of a "hackers for hire" system, allegedly supported by the Chinese government, to carry out digital intrusions worldwide.
Silk Typhoon, identified as the Chinese hacker group APT27, is among those implicated in the US Treasury breach. This group is a Chinese state actor focused on espionage campaigns targeting a wide range of industries in the US and throughout the world. Microsoft Threat Intelligence has tracked Silk Typhoon's ongoing attacks since late 2024, revealing their preferred method of breaking into victims' environments using stolen API keys and cloud credentials, particularly targeting IT companies and government agencies.
Recommended read:
References :
- Source: Silk Typhoon is a Chinese state actor focused on espionage campaigns targeting a wide range of industries in the US and throughout the world.
- Security | TechRepublic: DoJ Busts Alleged Global Hacking-for-Hire Network of ‘Cyber Mercenaries’
- The Register - Security: China's Silk Typhoon, tied to US Treasury break-in, now hammers IT and govt targets
- WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
@securityonline.info
//
Japan's National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) have issued a warning about a prolonged cyber-attack campaign against organizations, businesses, and individuals in Japan since 2019. The attacks are attributed to the Chinese cyber espionage group known as MirrorFace, also called Earth Kasha, which is believed to be a subgroup of APT10. This group aims to steal sensitive information related to Japan’s national security and advanced technologies. The group has been seen targeting a wide range of sectors, including government bodies, defense, aerospace, semiconductor, communications, research organizations and the media.
MirrorFace has conducted several campaigns, including spear-phishing emails with malware attachments, exploiting VPN vulnerabilities, and using advanced techniques like abusing Windows Sandbox for malware execution and leveraging Visual Studio Code's development tunnels for stealthy remote control. The group deploys tools such as LODEINFO, ANEL, LilimRAT, NOOPDOOR and Cobalt Strike Beacon. The NPA has linked MirrorFace to over 200 cyber incidents in the past five years. Authorities have raised concerns about the sophisticated techniques and the focus on infiltrating Japanese national security and advanced technology sectors, and are working to mitigate the risks.
Recommended read:
References :
- : National Police Agency (Japan): (Japanese language) See parent toot above. The National Police Agency and the National Center of Incident Readiness and Strategy for Cybersecurity have assessed that a cyber attack campaign against organizations, businesses and individuals in Japan from around 2019 to the present has been carried out by a cyber attack group called "MirrorFace" (also known as "Earth Kasha").
- securityonline.info: MirrorFace: Unmasking the Chinese Cyber Espionage Group Targeting Japan
- ciso2ciso.com: Japan Faces Prolonged Cyber-Attacks Linked to China’s MirrorFace – Source: www.infosecurity-magazine.com
- The Hacker News: MirrorFace Leverages ANEL and NOOPDOOR in Multi-Year Cyberattacks on Japan
- ciso2ciso.com: Japanese police claim China ran five-year cyberattack campaign targeting local orgs – Source: go.theregister.com
- www.npa.go.jp: National Police Agency (Japan): (Japanese language) See parent toot above.
- Techmeme: Japan says Chinese hacking group MirrorFace is linked to 200+ cyberattacks from 2019 to 2024 targeting the country's national security and advanced tech data (Mari Yamaguchi/Associated Press)
- ciso2ciso.com: Chinese APT Group Is Ransacking Japan’s Secrets – Source: www.darkreading.com
- ciso2ciso.com: Japan Faces Prolonged Cyber-Attacks Linked to China’s MirrorFace – Source: www.infosecurity-magazine.com
- www.scworld.com: Years-long hacking spree against Japan linked to Chinese hackers
- ciso2ciso.com: Japanese police claim China ran five-year cyberattack campaign targeting local orgs – Source: go.theregister.com
- Pyrzout :vm:: Japanese police claim China ran five-year cyberattack campaign targeting local orgs
- Latest from TechRadar: Japan says Chinese hackers have launched hundreds of attacks against targets in the country | Hacking group ‘MirrorFace’ accused of hitting dozens of targets
- securityaffairs.com: Japanese authorities attribute a cyber-espionage campaign targeting the country to the China-linked APT group MirrorFace.
Juan Perez@Tenable Blog
//
The Ghost (Cring) ransomware group, known for exploiting vulnerabilities in software and firmware, remains a significant threat as of January 2025. A joint cybersecurity alert from the FBI, CISA, and other partners warns the global cyber defender community of increasing attacks from this financially motivated group. CISA issued a joint advisory on February 19, 2025, emphasizing the group's ongoing activity.
The Ghost (Cring) ransomware first appeared in early 2021 and has impacted organizations across more than 70 countries by compromising vulnerable, internet-facing services. Security measures such as patching known vulnerabilities and implementing basic infosec actions are crucial in defending against these attacks. The SOC Prime Platform has curated Sigma rules to help detect Ghost (Cring) ransomware activity.
Recommended read:
References :
- SecureWorld News: The FBI, CISA, and MS-ISAC have issued a joint cybersecurity advisory warning organizations about Ghost (Cring) ransomware, a sophisticated cyber threat that has been compromising critical infrastructure, businesses, and government entities worldwide.
- Tenable Blog: Rapid7 discusses Ghost Ransomware group targeting known Vulns.
- aboutdfir.com: The operators of Ghost ransomware continue to claim victims and score payments, but keeping the crooks at bay is possible by patching known vulnerabilities and some basic infosec actions.
- Resources-2: Picus Security provides Ghost (Cring) Ransomware Analysis, Simulation, and Mitigation.
- socprime.com: Ghost (Cring) Ransomware Detection: The FBI, CISA, and Partners Warn of Increasing China-Backed Group’s Attacks for Financial Gain
- SOC Prime Blog: The FBI, CISA, and partners have recently issued a joint cybersecurity alert warning the global cyber defender community of increasing Ghost (Cring) ransomware attacks aimed at financial gain.
- thecyberexpress.com: A Ghost ransomware group also referred to as Cring, has been actively exploiting vulnerabilities in software and firmware as recently as January 2025.
- Security Boulevard: [CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware
- www.attackiq.com: CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware
- industrialcyber.co: CISA, FBI, MS-ISAC warn of Ghost ransomware
- aboutdfir.com: The operators of Ghost ransomware continue to claim victims and score payments, but keeping the crooks at bay is possible by patching known vulnerabilities and some basic infosec actions, according to a joint advisory issued Wednesday by the FBI and US Cybersecurity and
- securebulletin.com: Secure Bulletin provides an analysis of tactics, targets, and techniques used by Ghost Ransomware.
- Secure Bulletin: Securebulletin article on Ghost Ransomware
- The Register - Security: Ghost ransomware crew continues to haunt IT depts with scarily bad infosec
- cyble.com: FBI-CISA Ghost Ransomware Warning Shows Staying Power of Old Vulnerabilities
- aboutdfir.com: News article covering the joint advisory from CISA and the FBI on the Ghost/Cring ransomware.
@www.bleepingcomputer.com
//
Chinese APT groups are actively targeting U.S. telecom providers and European healthcare organizations using sophisticated cyberattacks. The attacks involve custom malware, such as JumbledPath used by Salt Typhoon to spy on U.S. telecom networks, and the exploitation of vulnerabilities like the Check Point flaw (CVE-2024-24919). These campaigns are characterized by the deployment of advanced tools like ShadowPad and NailaoLocker ransomware, indicating a blend of espionage and financially-motivated cybercrime.
These threat actors gain initial access through exploited vulnerabilities, then move laterally within the networks using techniques like RDP to obtain elevated privileges. The attackers then deploy ShadowPad and PlugX, before deploying the NailaoLocker ransomware in the final stages, encrypting files and demanding Bitcoin payments. These findings highlight the evolving tactics of Chinese APT groups and the challenges in attributing these attacks, given the blurring lines between state-sponsored espionage and financially driven operations.
Recommended read:
References :
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
- The Hacker News: Chinese-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware
- www.bleepingcomputer.com: Salt Typhoon uses JumbledPath malware to spy on US telecom networks
Mandvi@Cyber Security News
//
The FishMonger APT, a Chinese cyber-espionage group with ties to the cybersecurity contractor I-SOON, has been implicated in a global espionage operation known as Operation FishMedley. This campaign, active in 2022, targeted a diverse range of entities, including governments, non-governmental organizations (NGOs), and think tanks across Asia, Europe, and the United States. These findings come as the US Department of Justice unsealed an indictment against I-SOON employees for their alleged involvement in espionage campaigns spanning from 2016 to 2023.
The attacks involved sophisticated malware implants such as ShadowPad, Spyder, and SodaMaster, tools frequently associated with China-aligned threat actors. These implants facilitated data theft, surveillance, and network penetration. One case revealed attackers used the Impacket tool to escalate privileges, execute commands, and extract sensitive authentication data from a US-based NGO. ESET's independent research confirms FishMonger is an espionage team operated by I-SOON, highlighting the ongoing threat posed by China-aligned APT groups to sensitive sectors worldwide.
Recommended read:
References :
- Cyber Security News: Chinese FishMonger APT Linked to I-SOON Targets Governments and NGOs
- Virus Bulletin: ESET's Matthieu Faou writes about Operation FishMedley, a global espionage operation by FishMonger, the China-aligned APT group run by I-SOON. In the victims list: governments, NGOs and think tanks across Asia, Europe and the United States.
- : FishMonger APT Group Linked to I-SOON in Espionage Campaigns
- gbhackers.com: GB Hackers: I-SOON’s ‘Chinese Fishmonger’ APT Targets Government Entities and NGOs
- Talkback Resources: Talkback: Chinese I-Soon Hackers Hit 7 Organizations in Operation FishMedley [net] [rev] [mal]
@www.ghacks.net
//
Recent security analyses have revealed that the iOS version of DeepSeek, a widely-used AI chatbot developed by a Chinese company, transmits user data unencrypted to servers controlled by ByteDance. This practice exposes users to potential data interception and raises significant privacy concerns. The unencrypted data includes sensitive information such as organization identifiers, software development kit versions, operating system versions, and user-selected languages. Apple's App Transport Security (ATS), designed to enforce secure data transmission, has been globally disabled in the DeepSeek app, further compromising user data security.
Security experts from NowSecure recommend that organizations remove the DeepSeek iOS app from managed and personal devices to mitigate privacy and security risks, noting that the Android version of the app exhibits even less secure behavior. Several U.S. lawmakers are advocating for a ban on the DeepSeek app on government devices, citing concerns over potential data sharing with the Chinese government. This mirrors previous actions against other Chinese-developed apps due to national security considerations. New York State has already banned government employees from using the DeepSeek AI app amid these concerns.
Recommended read:
References :
- cset.georgetown.edu: China’s ability to launch DeepSeek’s popular chatbot draws US government panel’s scrutiny
- PCMag Middle East ai: House Bill Proposes Ban on Using DeepSeek on Government-Issued Devices
- Information Security Buzz: Recent security analyses have found that the iOS version of DeepSeek transmits user data unencrypted.
- www.ghacks.net: Security analyses revealed unencrypted data transmission by DeepSeek's iOS app.
- iHLS: Article about New York State banning the DeepSeek AI app.
Connor Jones@The Register - Security
//
A newly discovered vulnerability, dubbed Wallbleed, has been found within China's Great Firewall (GFW). This flaw allowed security researchers to access sensitive memory data, exposing internal censorship mechanisms. The vulnerability, an out-of-bounds read bug within the GFW's DNS injection subsystem, leaked up to 125 bytes of memory data from the censorship infrastructure. This provided an unprecedented look into how China censors internet content.
The Wallbleed vulnerability was actively exploited by a team of security professionals and academics starting in October 2021. They used it to learn about the GFW's inner workings, monitoring its infrastructure and observing attempts to patch the hole. This data-leaking flaw revealed insights into the GFW's CPU architecture, plain-text network traffic data extraction, and the capability of capturing traffic from millions of IP addresses in China.
Recommended read:
References :
- CyberInsider: Wallbleed Flaw in China’s Great Firewall Exposed Private Data
- The Register - Security: Wallbleed vulnerability unearths secrets of China's Great Firewall 125 bytes at a time
- Talkback Resources: Wallbleed bug reveals secrets of China's Great Firewall [exp] [net]
- The Register: Wallbleed vulnerability unearths secrets of China's Great Firewall 125 bytes at a time Boffins poked around inside censorship engines for years before Beijing patched hole Smart folks investigating a memory-dumping vulnerability in the Great Firewall of China (GFW) finally released their findings after probing it for years.…
- AAKL: Smart folks investigating a memory-dumping vulnerability in the Great Firewall of China (GFW) finally released their findings after probing it for years.
@gbhackers.com
//
Chinese cybersecurity entities are accusing the U.S. National Security Agency (NSA) of orchestrating a multi-year cyber espionage campaign against Northwestern Polytechnical University (NPU), a leading Chinese institution specializing in aerospace and defense research. The allegations, published by organizations such as Qihoo 360 and the National Computer Virus Emergency Response Center (CVERC), claim that the NSA’s Tailored Access Operations (TAO) unit, referred to as “APT-C-40” by Chinese sources, conducted the attack in 2022. The university disclosed the breach in June 2022, reporting phishing emails targeting staff and students as the initial vector.
According to Chinese investigators, the NSA allegedly deployed over 40 malware strains and leveraged zero-day vulnerabilities to gain access. Tools such as NOPEN and SECONDDATE, previously linked to the NSA, were reportedly used to establish persistence and intercept network traffic. Chinese cybersecurity firms attribute the attack to the NSA based on forensic analysis and operational patterns, noting that nearly all attack activity occurred during U.S. business hours, with no activity on weekends or U.S. holidays. A misconfigured script also revealed directory paths linked to TAO’s tools, including a Linux directory associated with NSA operations.
Recommended read:
References :
- discuss.privacyguides.net: An inside look at NSA (Equation Group) attack on China
- gbhackers.com: NSA Allegedly Hacked Northwestern Polytechnical University, China Claims
- Talkback Resources: China’s Cybersecurity Firms Reveal Alleged NSA (Equation Group) Tactics in University Hack [for] [mal]
|
|
FlagThis - #china